TransformerOptimus SuperAGI Budget Endpoint Authorization Bypass Vulnerability

An authorization bypass vulnerability has been identified in TransformerOptimus SuperAGI versions through 0.0.14. The issue resides in the Budget Endpoint, specifically within the get_budget and update_budget functions of superagi/controllers/budget.py. This vulnerability allows authenticated users to read and modify budget information for any organization by manipulating budget IDs, as the application fails to verify ownership before processing requests. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for unauthorized access to and manipulation of budget data across different organizations. This could lead to financial discrepancies, such as unjustly increasing one's own budget or decreasing a victim's budget, potentially disrupting their operations by blocking automated agents from performing tasks.

Reproduction

To reproduce this vulnerability, authenticate as a user and obtain a valid JWT token. Then, use this token to access the budget management endpoints. The get_budget endpoint can be called to read any organization's budget by specifying a budget ID. Similarly, the update_budget endpoint can be used to modify any organization's budget by sending a request with the desired budget values, again using an organization-specific budget ID.